OSV-Scanner — Google's Open-Source Vulnerability Scanner

Introduction

OSV-Scanner is a vulnerability scanner developed by Google that leverages the OSV (Open Source Vulnerabilities) database to identify known vulnerabilities in project dependencies. It understands lockfiles, SBOMs, and container images across multiple language ecosystems, providing accurate version-level matching without false positives from imprecise version range comparisons.

What OSV-Scanner Does

• Scans project directories recursively to discover lockfiles and manifest files
• Matches exact dependency versions against the OSV database for precise vulnerability detection
• Supports 16+ ecosystems including npm, PyPI, Go, Maven, Cargo, NuGet, and OS packages
• Accepts SBOM inputs in SPDX and CycloneDX formats for supply chain scanning
• Provides guided remediation suggestions showing minimal version bumps to fix vulnerabilities

Architecture Overview

OSV-Scanner parses lockfiles to extract exact dependency names and versions, then queries the OSV.dev API (or a local mirror) for matching vulnerability records. The OSV database uses precise affected-version ranges curated by ecosystem maintainers, reducing false positives compared to CPE-based matching. The scanner supports offline mode with a local database snapshot and integrates a call-graph analysis module that determines whether vulnerable code paths are actually reachable in the project.

Self-Hosting & Configuration

• Install a single Go binary with no runtime dependencies
• Run against any directory; auto-discovers lockfiles for supported ecosystems
• Use --experimental-call-analysis for Go projects to filter unreachable vulnerabilities
• Configure ignore rules in osv-scanner.toml to suppress known-accepted vulnerabilities
• Integrate with GitHub Actions using the official action for PR-level vulnerability checks

Key Features

• Precise version matching via OSV database eliminates CPE-based false positives
• Multi-ecosystem support: npm, pip, Go, Maven, Cargo, Composer, NuGet, pub, and more
• Guided remediation calculates minimum version upgrades to resolve vulnerabilities
• Call-graph analysis (Go) determines if vulnerable functions are actually invoked
• SBOM and container image scanning for supply chain security assessments

Comparison with Similar Tools

• Trivy — broader scanner covering containers, IaC, and secrets; OSV-Scanner focuses purely on dependency vulnerabilities with higher precision
• Snyk — commercial SCA with fix PRs and monitoring; OSV-Scanner is free with similar accuracy for open-source scanning
• npm audit / pip-audit — single-ecosystem tools; OSV-Scanner provides unified scanning across all ecosystems
• Grype — container-focused vulnerability scanner using multiple databases; OSV-Scanner uses the curated OSV database for better version-range accuracy

FAQ

Q: How does OSV-Scanner differ from generic CVE scanners? A: OSV uses precise affected-version ranges maintained by package ecosystem experts, providing more accurate matching than CPE-based approaches that often produce false positives.

Q: Can I use OSV-Scanner offline? A: Yes. Download a local database snapshot with osv-scanner --experimental-download-offline-databases and scan without network access.

Q: Does it support monorepos with multiple lockfiles? A: Yes. The recursive scan mode (-r) discovers and processes all lockfiles in a directory tree, reporting vulnerabilities per lockfile location.

Q: How frequently is the OSV database updated? A: The OSV database receives continuous updates as ecosystem maintainers and automated systems publish new advisories, typically within hours of disclosure.

Sources

• https://github.com/google/osv-scanner
• https://osv.dev/